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Arrangement and method for coding and decoding digital 
data on the basis of the Internet Protocol 

5 

The Internet Engineering Task Force (IETF) is 
currently developing the next generation of the 
Internet Protocol (IP) . The next generation of the 
Internet Protocol is called Version 6 of the Internet 

10 Protocol (IPv6) . The Internet Protocol is a network 
layer protocol within the context of the OSI (Open 
Systems interconnect ion) communication layer 

architecture. The Internet Protocol is the central 
element for linking various, autonomous communication 

15 networks to the worldwide Internet 

The format of the Internet Protocol is 
described in [1] for example. 

An overview of Version 6 of the Internet 
Protocol (IPv6 ) can be found in [2] . 

2 0 Within the scope of the international work 

relating to IPv6 , it is known practice to develop 
security extensions for the Internet Protocol. These 
security extensions, which can also be implemented 
within the scope of the currently up-to-date Version 4 

25 of the Internet Protocol, are called IPsec. These are 
described in [3], for example. 

The message format of the IPsec services uses 
the so-called IP Authentication Header, which is used 
to protect the integrity and authenticity of IP 

30 datagrams, and the so-called "IP Encapsulating 
Payload" , which is used to protect the confidentiality 
and integrity of the data from higher protocol layers, 
e.g. the User Datagram Protocol (UDP) or the Transport 
Control Protocol (TCP) , in so-called "transparent 

35 mode", or of entire IP datagrams, in so-called "tunnel 
mode" . 
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The so-called OSI communication layers are 
described in detail in [4] . 

[5] , [6] , [7] , [8] disclose so-called IPsec 
standards, in which two methods of allocating 
5 cryptographic keys are provided: within the context of 
so-called "Host Oriented Keying", all processes and 
users communicating between two terminals using IPv6 or 
using an IPv4 extended by IPsec use the same 
cryptographic key material . Within the context of 

10 so-called u User Oriented Keying 7 ', various users or 
processes on the two terminals communicating with one 
another can be allocated various cryptographic keys. In 
the case of IPv4, known transport system interfaces, 
for example Berkeley Sockets, Streams TLI , Winsockets, 

15 etc., are used for communication. However, so that 
applications, i.e. unspecified programs or processes, 
in relatively high network layers can use the novel 
security services of IPsec or else, generally, the new 
services of IPv6, extensions are currently being 

2 0 developed for the established transport system 

interfaces. 

An Internet key management component (Internet 
Key Management Protocol, IKMP) and associated boundary 
conditions on the Internet are described in the form of 
25 so-called Internet Drafts in [9] , [10] , [11] , [12] , 
[13], [14], [15], [16] and [17]. 

However, one significant problem is that 
existing applications are not readily able to use the 
novel services provided by IPsec or by IPv6. To date, 

3 0 the novel services cannot be addressed without 

additional measures . 

[1] discloses that the applications wishing to 
use the services of IPv6 and IPsec need to be matched 
to the new transport system interfaces by modifying 
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the applications. This document also discloses the 
practice of using configuration files for use for the 
new services. In this context, these configuration 
files are, in the first instance, static and, in the 
5 second instance, are component parts of the IPsec and 
IPv6 implementations. These configuration files inform 
a system with IPsec or IPv6 capability of the form in 
which it needs to provide transport services for an 
existing application without IPsec or IPv6 capability. 
10 In these two practices, however, a considerable 
disadvantage can be seen in that already existing 
applications cannot be modified in a general way, in 
□ view of the considerable quantity of existing 

]ti applications. In addition, IPsec and IPv6 

P 15 implementations do not support any interaction with 

jj'jl applications or users. 

Ill The invention is based on the problem of 

jj=j s 

specifying a method and an arrangement for coding 
Pj digital data on the basis of the Internet Protocol and 

W 2 0 also a method and an arrangement for decoding digital 

I s i 

pi data on the basis of the Internet Protocol which 

O provide a simple means of enabling applications which 

were developed for an older version of the Internet 
Protocol to access the novel services of an Internet 
25 Protocol of the new generation. 

The problem is solved by the arrangements and 
methods having the features based on the independent 
patent claims . 

An arrangement for coding digital data on the 
3 0 basis of the Internet Protocol has a first means which 
is used to code the data on the basis of the format of 
a first Internet Protocol to give data having a first 
Internet Protocol format. In addition, a mapping unit 
is provided, which is used to map the data having the 
35 first Internet Protocol format onto data which can be 
processed by a second means, the second means being 
used to code the data on the basis of the format of a 
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Internet Protocol format . 
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On the basis of the arrangement for decoding 
digital data existing in a second Internet Protocol 
format on the basis of the Internet Protocol, a second 
means is provided which is used to decode the data on 
5 the basis of the format of a second Internet Protocol 
to give data having a decoded second Internet Protocol 
format. In addition, a mapping unit is provided, which 
is used to map the data having the decoded second 
Internet Protocol format onto data which can be 
10 processed by a first means, the first means being used 
to decode the data on the basis of the format of a 
first Internet Protocol to give the data. 

□ In a method for coding digital data on the 
JSJ basis of the Internet Protocol, the data are coded on 

□ 15 the basis of the format of a first Internet Protocol to 
J« give data having a first Internet Protocol format. The 
III data having the first Internet Protocol format are 
3 ** mapped onto data which can be processed during further 
q coding on the basis of a second Internet Protocol 
m 20 format. In a last step, the data are coded on the basis 
i*i of the format of a second Internet Protocol to give 
p data having a second Internet Protocol format . 

5 ~~ In a method for decoding digital data existing 

in a second Internet Protocol format on the basis of 

25 the Internet Protocol, the data are decoded on the 
basis of the format of a second Internet Protocol to 
give data having a decoded second Internet Protocol 
format. In addition, the data having the decoded second 
Internet Protocol format are mapped onto data which can 

3 0 be processed during decoding on the basis of a first 
Internet Protocol format. The data are finally decoded 
on the basis of the format of a first Internet Protocol 
to give the data. 

The arrangement and the method provide very 

35 simple means of permitting old applications which can 
use only the services of Internet Protocol Version 4 
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or older versions to use "IPsec or IPv6" as well. This 
means that the arrangement and the method make it 
possible for the new services offered by IPsec and 
IPv6, in general newer versions of the Internet 
5 Protocol, to be used with the "old" applications as 
well without the need to change the applications 
themselves . 

The invention can clearly be seen in the 
addition, in the previous known architecture of the OSI 

10 communication layers, of an intermediate layer between 
the Internet Protocol layer (IP layer) , which is also 
called network layer within the context of the OSI 
network architecture, of the "old" IPv4 and the "new" 
IPv6 or IPsec. * This intermediate iayer is used as a 

15 generic means in order to make future transport 
services of IPv6 available to applications which are 
based on the existing Version 4 of the Internet 
Protocol, and hence to assist the migration of said 
future transport services into the new network 

20 infrastructure . 

This intermediate layer can be implemented and 
integrated both at application level and at operating 
system level. It is also possible to use this 
intermediate layer to provide a so-called proxy 

25 service. 

Advantageous developments of the invention can 
be found in the dependent claims. 

In one development, it is advantageous both for 
the arrangements and for the methods that the mapping 

3 0 unit has a parameter determination unit for determining 
parameters, and that, during mapping, additional 
parameters are determined which are necessary for 
coding the data having the first Internet Protocol 
format to give data in the second Internet Protocol 

3 5 format. 
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In addition, in one development, it is 
advantageous to design the parameter determination unit 
on the basis of at least one of the following types and 
to determine the parameters in one of the following 
5 ways : 

- depending on the arrangement itself, 

- depending on a user of the arrangement , 

- depending on a process currently being carried out by 
the arrangement , or 

10 - to determine the parameters from a database to which 
the arrangement has access, for example from a local 
database of the arrangement . 

The figures show an illustrative embodiment of 
the invention, and this illustrative embodiment is 
15 explained in more detail below. 
In the figures 

Figure 1 shows a sketch of the arrangement for coding, 
transmitting and for decoding digital data; 

Figure 2 shows a sketch of the procedure when mapping 
2 0 IPv4 applications onto data for IPv6 and 

IPsec . 

Figure 1 shows a first arrangement 100 for 
coding digital data. 

For the purposes of clear illustration, the OSI 
2 5 communication layers are used within the scope of the 
description below, these layers being described in 
detail in [4] . 

An application, preferably an application 
program which generates, on the basis of the Internet 
30 Protocol, digital data which are to be transmitted, is 
logically arranged in a so-called application layer 
101 . 
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So-called protocol data units (PDU) are 
exchanged between the individual layers. The individual 
PDUs 111 are uniquely associated with the individual 
layers . 

5 Respective coding rules dependent on the 

respectively chosen known implementation of the layer 
are put into effect in the individual layers. 

The respective layer can be implemented both in 
software and in hardware . 
10 Within the scope of the arrangement, each layer 

is respectively in the form of a means used to 
implement the individual method steps on the basis of 
the communication protocol which is to be implemented 
Iti in the respective layer. 

15 The PDUs 111 of the application layer are 

supplied to a presentation layer 102. 

After the PDU 111 from the application layer 
101 has been processed on the basis of the rules of the 
presentation layer, a PDU 112 of the presentation layer 
20 102 is supplied to a communication control layer 103. 

After the PDU 112 of the presentation layer 102 
has been processed on the basis of the protocol used in 
the communication control layer 103, a PDU 113 of the 
communication control layer is supplied to a transport 
25 layer 104. 

The transport layer 104 preferably has the so- 
called transport control protocol (TCP) or else the 
user datagram protocol (UDP) implemented in it. After 
the PDU 113 from the communication control layer 103 
3 0 has been encapsulated, the transport layer 104, i.e. 
the means used to implement the 
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transport layer, supplies a PDU 114 of the transport 
layer 104 to a network layer 105. 

The network layer 105 usually has the Internet 
Protocol (IP) , either in Version 4 or else in Version 6 
5 or else in IPsec, implemented in it. Within the scope 
of the invention, a first Internet Protocol is 
implemented in the network layer, i.e. the data which 
are supplied to the network layer 105 in the form of 
the PDU 114 of the transport layer 104 are coded on the 
10 basis of the format of a first Internet Protocol (IPv4) 
to give . data existing in a first Internet Protocol 
format . 

The data having the first Internet Protocol 
format are supplied as PDU 115 of the network layer 105 
p 15 to a mapping unit 106 used to implement an intermediate 

Zl layer 106. The mapping unit 106 is used to map the data 

ill 

111 existing in the first Internet Protocol format 115 onto 

data which can be processed by a second means, a second 
network layer 107. 
2 0 The data are supplied to the second network 

layer 107 in an intermediate layer PDU 116 in a format 
which the second network layer can process. In the 
second network layer 107, which is provided by a second 
means, the data are coded on the basis of the format of 
25 a second Internet Protocol (IPv6, IPsec) to give data 
existing in a second Internet Protocol format and are 
supplied to a data link layer 108 in the form of a PDU 
117 having the second Internet Protocol format. 

The data link layer 108 forms a PDU 118 of the 
30 data link layer 108 and supplies it to the physical 
connection layer 109. 
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The operations for mapping the PDU 115 from the 
network layer 105 in the intermediate layer 106 are 
explained in more detail below with the aid of 
figure 2 . 

5 One application based on Internet Protocol 

Version 4 2 01 usually uses existing transport system 
interfaces of IPv4, e.g. Berkeley Sockets or Streams 
TLI . The existing transport system interfaces 202 are 
provided entirely by the intermediate layer, i.e. the 
10 network layer 105 sees the mapping unit 106, i.e. the 
intermediate layer 106, as a data link layer. 

The PDU 115 which has been adopted from the 
O network layer 105 by the intermediate layer 106 is 

]%: mapped onto the new transport system interfaces 2 03 of 

O 15 a second Internet Protocol (IPv6, IPsec) . The new 

m 

YL: transport system interfaces 2 03 have dedicated security 

til 

Pil interfaces 2 04. Depending on the transport services 

Ul provided in the second network layer 107, for example 

p| additional security services, additional parameters are 

2 0 required for coding on the basis of the second Internet 

£ 3 f 

]=J Protocol format, in order to be able to use these 

□ services. An overview of various security parameters 

r " required within the context of IPsec and IPv6 are 

described in [4] in connection with the respectively 

2 5 provided methods for IPsec, IPv4 for the purpose of 

cryptographic data protection. 

Within the context of this mapping, the 
invention also provides for the inclusion or 
integration of an Internet key management component 

3 0 (Internet Key Management Protocol, IKMP) 2 05 as 

described in [9] , [10] , [11] , [12] , [13] , [14] , [15] , 
[16] and [17] . 

The coded data are transmitted in the form of 
data packets 112, containing the data in the second 
35 Internet Protocol 
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format, from the first arrangement 100 to a second 
arrangement 120 by means of a transmission unit 110. 

The arrangements can be implemented both in 
software and in hardware, for example in a computer or 
5 else in a specific digital -electronic circuit matched 
to the task. 

In the second arrangement 12 0, the data packets 
112 are received and are supplied to a physical 
connection layer 121 of the second arrangement 120. 

10 After de-encapsulation on the basis of the protocol of 
the physical connection layer 121, a PDU 131 of the 
physical connection layer 121 is supplied to the data 
link layer 122 of the second arrangement 120. 

After further de-encapsula£ion, i.e. decoding, 

15 in the data link layer 122, a PDU 132 of the data link 
layer 122 is supplied to the second network layer 123 
of the second arrangement 12 0, in which 
de-encapsulation is performed on the basis of the 
second Internet Protocol format, i.e. on the basis of 

20 IPv6 or IPsec. Within the context of this decoding, by 
way of example, the cryptographic protection of the 
transmission is also implemented on the basis of IPv6 
or IPsec. 

The decoded data in the second protocol format 
25 are supplied as PDU 133 to the mapping unit 124, i.e. 
to the intermediate layer 124, and are in turn 
subjected to mapping. The mapping in the intermediate 
layer 124 is the inverse of the mapping in the 
intermediate layer 106 in the first arrangement 100. 
3 0 The parameters required for processing can be 

determined in various ways. The parameter determination 
unit of the intermediate layer 106, 124 needs to be 
designed on the basis of the determination. The 
additionally required parameters may, by way of 
35 example, be configured on the basis of a specific 
output system, on the basis of a specific 
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user or else on the basis of a specific process. In 
this context, on the basis of a specific output system 
means depending on the respective arrangement used. On 
the basis of a specific user, in this context, means 
5 depending on the respective user currently using the 
arrangement. On the basis of a specific process, in 
this context, means depending on the process currently 
carried out by the arrangement . 

Alternatively, the parameters can be requested 

10 from, by way of example, locally available security 
policy databases or general databases, or else can be 
determined interactively with a user of the 
arrangements . 

After mapping in the intermediate layer 124, a 

15 PDU 134 is available which can be processed by the 
network layer 12 5, which is provided on the basis of 
the "old' 7 Internet Protocol (IPv4) . The PDU 134 of the 
intermediate layer 124 is supplied to the network layer 
125, i.e. to the first means, and is decoded, i.e. 

20 de-encapsulated, on the basis of the first Internet 
Protocol format. 

The result of de-encapsulation is that the 
network layer 125 forms a PDU 135 which is supplied to 
the transport layer 126. The transport layer 126 forms 

25 a PDU 136 which is supplied to the communication 
control layer 127. 

The communication control layer 13 7 supplies a 
PDU 137 of the communication control layer 137 to the 
presentation layer 128. The presentation layer 128 

30 forms a PDU 138 which is supplied to the application 
layer 129. 

The double arrows in figure 1 indicate the 
bidirectional communication between the arrangements 
100, 120. 
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The text below illustrates a few alternatives 
to the arrangements and methods described above. 

Both the first arrangement 100 and the second 
arrangement 12 0 may also be provided independently, 
without the transmission medium, i.e. the transmission 
unit 110. 

In addition, the transmission unit 110 can be 
understood such that any desired number of routers or 
bridges may be provided as switching units. The 
transmission unit 110 thus represents merely a logical 
channel between the first arrangement 10 0 and the 
second arrangement 12 0. 

The invention can clearly be seen in the 
provision of an intermediate layer 106, 124 between the 
network layer used to provide the "old" Internet 
Protocol Version 4 and a second network layer, which is 
used to provide the "new" Internet Protocol (IPv6, 
IPsec) , said intermediate layer being used to map the 
data formats of the IPv4 protocol format onto the IPv6 
protocol format . 
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